Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

MrSeb writes with an excerpt from Extreme Tech about a presentation at Black Hat: "Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'"

That's the beauty *cough* of the DMCA. They already are illegal! They will continue to be illegal until the Library of Congress makes an exemption [wikipedia.org].

I'm not completely sure if owning them is legal or not. The DMCA prevents "dissemination of technology, devices, or services intended to circumvent measures". Later provisions in the law cover cases where the device is not intended for circumvention, but is frequently used that way, such as open source DVD player software, which is not intended for copying the DVD, but can be used that way. Simply owning an Arduino would not qualify as "dissemination", but if you unknowingly sold or gave away your Arduino, I'm pretty sure you could be charged with breaking the DMCA. It's unlikely that you would be charged, unless the person that bought your Arduino proceeded to use it to break into a hotel room, but the point is that it's nearly impossible to avoid breaking this law!

When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.

Their presentations may or may not get suppressed, but this approach pretty much ensures he will get sued.

Worse, in his paper he uses an example of framing a hotel employee for murder! While dramatizing the vulnerability is not uncommon amongst hackers looking to draw media attention to the seriousness of their claims, suggesting a plan for murder is a really, really poor choice. The consequences of this could be even higher than the civil penalties of a lawsuit.

That is, unless he is planning to use the Basic Instinct Defense "What, do you think I am stupid enough to publish details of how a murder could be committed, by anyone, using these devices, and then do it myself?"

Though, if he tries it, I hope he remembers, the short white dress and no underwear is key to making it work.

Such circumstantial evidence, placing a staff member in the room at the time of death, could be damning in a murder trial, and at least would make that staff member a prime suspect. While other factors (e.g. closed circuit cameras, eyewitnesses, etc) could be used to support the staff member's case, there's no way we can know whether or not the audit report is false.

Unless you believe that Brocious can somehow know the details of every murder trial currently going on anywhere in the world at this time, this fact is actually an excellent defense for justifying immediate disclosure.

And anyway, if your interesting legal theory was correct, the broadcast of every Columbo episode, for example, would have exposed {N,A}BC to criminal charges or civil liability. Not likely.

But that won't stop an attorney hell-bent on suing him into oblivion from bringing it up in court negatively as well: "The defendant literally told people how to use his device to get away with murder! This is further evidence that he was being malicious towards the plaintiff in his disclosure, which is why you must find in favor of my client."

If they truely can not fix these locks without physically replacing them, I can garentee any prior contact with them about this bug would have resulted in every legal and possible assumed legal resposnse they could think of to prevent him from disclosing the information.The end result would be no disclosure and everyone that stays in one of these hotel rooms is at risk. At least if the information is public, people can take action to protect themselves and their stuff by using the deadbolt/latch, the safe,

When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.

Plus in this case, what could Onity have done? They cannot create an update that is automatically downloaded and installed over the next month onto those locks, like with Windows or Flash. If they knew about this before, and had a proper fix for it, then they would have to communicate it to thousands of hotels, and that would result in disclosure as well.

From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors.
I'll stick to being worried about corrupt security guards.

From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.

When I travel, I leave my stuff out everywhere similar to what I do at home, throw loose bills and change on the table, laptop sitting out possible still plugged in and on. I average about 30 nights a year in a hotel room and I've never had a problem with anything mising that I've noticed. When my room is cleaned, all of my stuff is still in the same exact place or its moved into one neat pile instead of many scattered piles. It only takes one corrupt person though but its not like the one time you forge

Got out of the pool, wrapped in a towel, went to the desk.– Oh, ma'am, I'm sorry, I guess I forgot my key in the room. Can somebody open the room for me? It's 104– Don't worry, click-click-swipe. Here is a new key for you. Cheers!

I suspected upon hearing this that he was trying to bitbang a protocol using the Arduino functions such as delaymicroseconds and digitalwrite and he was probably having to adjust these to account for inconsistencies caused perhaps between locks (where battery voltage may affect timing) but also the inherent timing problems caused by the braindead manner in which these "friendly" functions operate. Even worse, he is using the Arduino's Serial library which is even worse about causing timing and memory problems.

Upon reading his code I found that assumption to be correct. If he ditched the Arduino library and wrote correct AVR code using ISR's and hardware timers to implement the communication protocol I think the reliability of the exploit would dramatically improve. Reading his analysis of the protocol I even think the two-wire interface could be used directly with a tiny bit of extra hardware. Also, the Arduino MEGA is unnecessary; a normal arduino or even a $2 ATTiny would do this job fine.

I should mention that it's not his fault that the Arduino library is terrible code and that its essentially unusable for this kind of thing; they do sort of purport that is more capable than it is. I do however suggest that you adjust your thoughts on the reliability of his exploit.

When demonstrated for the reporter, the hack only worked on *one* out of *four* of the doors tested in a REAL hotel, and then only on the second attempt after Brocious fine tuned and tweaked his software. Also, this can be defeated by simply using any one of the mechanical locks on the door.

The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack. Keep in mind that there are plenty of AUTHORIZED users of master card keys on the hotel staff.

When a hotel staffer uses a master key card, it's logged (the security system notes which key was used when). Presumably with this hack, that isn't necessary. Also, the ability to open the doors on 25% of hotel rooms is still a concern.

99% of the shit I've worked with at hotels (from an installation POV) just checks that the mag card has a particular number in track 3. They're dumb as fuck.Putting the word "ADM" in track 2 unlocks most of the doors in many hotels. Sad but true fact.

All locks can be defeated with enough effort. The goal often is make it obvious that a lock was defeated - by leaving an electronic trail or physical one (broken door for e.g.). Akin silent data-loss, silent compromise of a lock is much much worse.

The problem with using the mechanical bolt or slide lock is that they must be operated from *INSIDE* the room. I don't know about others, but when I'm staying at a hotel it is because I am attending a conference or something, so most of the time I am not inside the room. So the deadbolt or chain lock does nothing. If a bad guy wanted in while someone was inside, all he would have to do is knock on the door and say "Hotel security. Open the door, please".

>>>Cause otherwise I don't quite understand how claiming to be hotel security causes the door to open.

Because you can't read.If a bad guy wanted in while someone was inside, all he would have to do is knock on the door and say "Hotel security. Open the door, please". I had this happen to me one time except it was a cop. I refused to open the door, so the cop went across the aisle to the neighbor instead (the source of a marijuana smell).

not only that but every hotel has cleaning people on every floor every day. there are cameras everywhere in common areas. a person loitering outside a door will not only be on camera but any maid can call it in to security.

security is the whole system, not like every individual piece has to be 100% secure

that's why stock iphones have never had a big security issue. iOS by itself is not 100% secure but combine it with the app store and the apple ecosystem and there has never been a big malware incident

It's easily and effectively argued that security through obscurity does no one any good, but responsible disclosure is still widely considered to be a good practice. Supposing a vendor is willing to fix their serious bugs, it really helps in preventing large scale attacks between the time of disclosure and reaction (by the vendor). If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw. It's unlikely that such a large-scale replacement of locks would have been pursued, but giving Onity an opportunity to consider that option would have been responsible. It helps Onity, but it also helps customers of Onity (like Hotels who might have chosen to replace their locks, or individuals who might ask questions before going to a particular hotel). Now everybody knows it can be done, and many will try. Sure, an NSA intern could have figured it out, but the fact remains that it was not being massively exploited for large-scale robberies, for e.g.. Targeted exploits are bad - no doubt - and I'm sure some of this was already going on, but there isn't much doubt that the sum total of targeted exploits does less bad than what might happen now - namely large scale exploits. I suppose I'm arguing that security-through-obscurity does work - but in a targeted and limited fashion - as to provide cover for short durations when real security is pursued. It may not work, but it's worth a try - and by going public before giving Onity a chance to pursue a 'fix', this researcher has, in my books, acted against public good.

If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw.

Responsible disclosure is a fair response to a responsible failure. Few of these that make the news are responsible failures. Chisellers dressed up in security theatre profiting from their faux contrivances while playing this stupid game of harassing the bearer of bad news, as if the bearer of bad news is an indentured, unpaid employee.

I understand the source of this faux reverence for charlatans much better after reading God is not Great. Scientology was a crock from day one, but now that so many gentle and naive souls have absorbed this crockery and imbued it with deep personal meaning, those of us who are deeply offended by the shitbag Hubbard are supposed to subside into polite silence. I asked myself after reading Hitchens: Why do I sit around keeping a respectfully stiff upper lip about xemufascism? To hell with that.

Banks should not be bailed out of bad loans, and security professionals should not be bailed out for chrome-plating obscurity. When the mistake is subtle enough to make a patent examiner's head explode, I'm all for responsible disclosure. Either pass the bar, or don't let the door hit you on the way out.

I'm fine with this point of view if it can be assured the person going to the company first wont then get sued for what they've exposed as a flaw.

The way things are now, you're more likely to get sued and shut up by a court order before you could tell anyone else. Atleast this way, the public is aware of the issue before they get sued. If anything, this assures the public is served important information and does more for public good then going to the company directly.

In this case he took it upon himself to decide that "there is no possible fix therefore responsible disclosure won't help." But we don't know for sure that the company can't fix the problem with some kind of software update - that's simply his claim. If there is a way to update the EEPROM, any way at all, then a software update could have fixed the problem. Sure, it would be a breaking change to the existing card key systems, but it might not entail a hardware fix to millions of hotel room doors. This guy never gave them that chance.

Notification would have enabled the company to create an update plan, to order a million new circuit boards, to redesign the protocols, to schedule repair crews, to do whatever it took to fix the problem, and to have all that stuff prepared before his disclosure. No matter who they are and how badly they want to fix the problem, this is a year long process at least. Now, during that entire year, bad guys with Arduinos will have full access to unoccupied hotel rooms.

And he's going to get sued into the next millennium. Not only are the plaintiffs going to use arguments like the above, but they're also going to drag his business dealings into it. They're going to make claims like "he's disgruntled because his business venture failed, and he did this out of spiteful retaliation." They're going to throw so much trash at him that I'm not sure even Johnny Cochran would have been able to get him out of trouble.

If true it's a pretty poor show by Onity, but I'm sure governments have had plenty of success simply forcing, tricking or bribing the hotel desk or cleaning staff into opening the rooms for them. I'm pretty sure that all the US government would have to do is turn up with a warrant and be given access to any room they like regardless of the type of lock used.

Silly Reader, warrants are so 20th century. These days, they just show a letter, that you can't discuss with anyone, citing a "secret" law. Yes, it's unconstitutional, but if you're a $12/hour clerk, and the guy with the gun is asking, are you going to make a fuss?

The key is silent access, as another poster mentioned. If hotel staff use the master key-card, that's logged to the security system. If police show up with a warrant, that warrant is part of the public record (in most cases) and shows up in the police logs. In any of those cases, there's a way to know about the breach nearly as soon as it happened. With this crack, there's no record that the security system was defeated, which makes recovery even more difficult. Consider the following:

Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole.

And you can't recharge the battery any more - so sooner or later your lock is going to be out of service.

Cover the whole with an exterior lock.

Probably impossible as the current casing has not been designed for that; and anyway they all will end up with a single physical key: copy that and you're good. And anyway this requires a physical modification to the lock, likely the whole outer casing, not much less work than replacing the whole lock.

Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory.

That is equivalent to changing out the main board of the lock. Which is probably more practical: it is not likely this lock has any space inside to install an extra board inside. Besides considering how modern devices are designed, replacing the lock is probably easier to do than replacing or adding a circuit board. Which is definitely not something your run-of-the-mill handyman can do.

Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock.

That port is used to recharge the battery in the lock.

Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

The board itself is probably cheap, removing the port from the board and soldering in a new daughter board/port would be expensive.
I don't see any advantage to that over replacing the whole board, which is what the article ("New circuitboards will have to be installed in every affected lock,") actually suggests.

Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware.

Brocious's full time job was to reverse engineer Onity's locks and front desk systems for a startup; he probably knows whether the lock has upgradable firmware.

Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

Fill the hole: No. Read the article. The hole is needed and used routinely to charge the battery and reprogram.Cover the hole with an exterior lock: So this is your plan to avoid changing out the lock? Add yet another lock on top? And how secure is that lock?Add a circuit ahead of the main board: Where? There is no room for that. You would have to replace the entire main board.Firmware fix: Perhaps possible, but these are very old designs using very limited microcontrollers. And you would still have to replace every reprogramming device in the field to get around this because your solution would also prevent reprogramming the lock.

So, NO, the article is not completely wrong. Your post is pretty close to completely wrong.By the time you do any of the modifications you suggest, it would be cheaper to change the lock.

And none of those changes could be accomplished by the handyman. At best, they might be able to change out the lock. Most of those guys know how to swing a wrench and a toilet plunger. They are not very good at board level soldering. Even worse at changing microprocessors inside a lock chassis designed specifically to be tamper resistant.

Best case is that they can replace the entire circuit board using cheaper more modern ICs in the same amount of space. But even that is likely to more expensive to than just replacing every single lock.

In actuality, This will never be done, until the next hotel remodel. Additional theft insurance, maybe purchased by the manufacturer, will be by far the cheapest alternative.

The hacker has (in his picture for the Forbes article) unkempt hair and a T-shirt that says "It's Fun To Use Learning For Evil!". I realize Black Hat has this whole counterculture thing going guys, but would it kill you to put on the veneer of respectability? Geez... this guy looks like a cliche movie hacker lackey.

You know that your intentions are honorable, that you wouldn't (for instance) rob a hotel room, and that maybe you are part of the process by which society gets stronger over the long run, but the audience of Forbes is predisposed to see you as a shady menace (or cost multiplier). And the audience of Forbes has more real influence to pass laws that restrict or limit access to your favorite toys (prior examples being some telephony tools, radio electronics, lockpicks, encryption software, etc.).

It sounds silly, but a clean shave and a button-down is how you say "I'm one of the good guys" to this crowd (or the general public, actually).

Exactly! Better evidence to prove GP's point does not exist. Just look respectable and society at large won't punish you for losing trillions to enriching yourself. If we all started showering regularly we could own this town!

If those people are such sorry excuses for human beings as to judge someone based on the clothes they wear, they can fuck right off. There is nothing inherently respectable about wearing slacks, and quite a lot inherently disrespectable about judging people based on appearances. It's just another manifestation of the base tribal instincts that are responsible for racism, and it's not a bit nicer.

The hacker has (in his picture for the Forbes article) unkempt hair and a T-shirt that says "It's Fun To Use Learning For Evil!". I realize Black Hat has this whole counterculture thing going guys, but would it kill you to put on the veneer of respectability? Geez... this guy looks like a cliche movie hacker lackey.

He's a hacker, at a hacking conference, doing something that happened to be of interest to Forbes.

It sounds silly, but a clean shave and a button-down is how you say "I'm one of the good guys" to

I read about this on BBC News [bbc.com] this morning, and two things struck me:

1. "In tests Mr Brocious conducted with Forbes news site, the system did not prove entirely successful - only one of the three doors, at three hotels in New York, opened." So it doesn't work everywhere, but it's a good proof of concept. From the above ExtremeTech article: "Brocious found that he could simply read this 32-bit key out of the lock’s memory. No authentication is required... By playing this 32-bit code back to the lock .

Obviously that person meant the chain lock that's separate from the key card lock. I hope not just the deadbolt; the ones built in to hotel key card lock mechanisms can be opened by the master key card. Not the ones the housekeepers carry but the one the chief maintenance guy keeps in his office. One assumes this hack can open the bolt as well as the regular latch.

Was it an official International Youth Hostel? I avoid those as much as I can and stay in private hostels, usually one recommended by the hostel in the previous leg of my trip. Most private hostels have lockers where you can use your own padlock, so much less risky. (This is anywhere outside US, don't know anything about US hostels and don't want to know either)

Is hostel a EU spelling of hotel? Not familiar with the hostel spelling. YOu said it more than once, so guessing it isn't just a typo....

Obviously that person meant the chain lock that's separate from the key card lock. I hope not just the deadbolt; the ones built in to hotel key card lock mechanisms can be opened by the master key card. Not the ones the housekeepers carry but the one the chief maintenance guy keeps in his office. One assumes this hack can open the bolt as well as the regular latch.

We had a problem with a hotel safe once. When the tech guy came he popped the plastic keypad off to expose a serial port then hooked up his iPhone to it and opened the door. I wonder how secure that is...

We had a problem with a hotel safe once. When the tech guy came he popped the plastic keypad off to expose a serial port then hooked up his iPhone to it and opened the door. I wonder how secure that is...

Lies! iPhones and iPads are for content consumption only, and cannot possibly used for real work.

There may be quite a number of people who have had items stolen from rooms "secured" by these locks now wondering what really happened. I also wonder whether there are any fired hotel staff who have been wronged in this. As Brocious points out, the hack is rather trivial and he's unlikely to have been the first/only person to have figured it out.

Its FAR FAR more likely that a hotel maid's card or a master card was duplicated by her shady love interest than anyone else detecting this.

I would say its probable that there is NOBODY who discovered this without inside knowledge. After all, who goes around plugging stuff into random sockets in hotel room locks without some inside knowledge of what that socket is for?

He didn't just happened to stumble on a micro-controller out of his TV remote that did this. He had to custom build a processor to do this.